Posts on Cloud,DevOps, Citrix,VMware and others. Also tracking my Continuous learning from Wintel to open source and development.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.

Wednesday, August 29, 2018

HashiCorp Terraform has revolutionized the way that infrastructure is managed by providing a common workflow across providers: write, plan, and apply. Today we're introducing the ability to execute plans remotely in Terraform Enterprise using the Terraform command-line interface (CLI).

As teams collaborate on Terraform code, a few challenges quickly emerge: state storage and synchronization, provider access credential distribution, a history of Terraform plan/applies, and more. Terraform Enterprise has existed for over a year to address these challenges, but it required CLI users to learn a separate web-based workflow.

In Terraform 0.11.8, we're introducing a preview of remote operations, beginning with remote plan. Remote operations execute the Terraform code remotely in Terraform Enterprise while CLI behaves exactly as if everything were still local. This solves all the above challenges of working with Terraform without changing the core workflow.

To read more about the Terraform Core Workflow in the context of an individual, team, and organization see the Core Workflow Guide we have published alongside this new feature.

The Remote Backend

Terraform 0.11.8 has a preview release of a remote backend that connects local configuration with Terraform Enterprise and enables remote operations.

When using the remote backend, all access credentials, variable values, and state are stored within Terraform Enterprise. No secret material needs to be requested or exist on the user's machine except for a Terraform Enterprise API key, since the secret-accessing parts of Terraform are executed remotely. This simplifies developing infrastructure with Terraform for any configuration to a single API token.

Once you run terraform init, Terraform will recognize this backend, automatically create Terraform Enterprise Workspaces, and copy the state files from your local Workspaces into Terraform Enterprise.

After this step, all state manipulation commands will operate against the remotely stored state automatically. Commands like terraform taint and terraform state mv work just like they do when working locally.

Remote Plan

With the backend configured, the terraform plan command will automatically trigger a remote plan.

The plan outputs almost identically as if it were run locally, but the entire operation was executed directly in Terraform Enterprise. The plan can also be viewed directly within Terraform Enterprise for users more comfortable with a UI or for sharing with teammates.

Benefits of Remote Operations

Preserving the core workflow: Whether you're using Terraform as an individual or with a team using Terraform Enterprise, the workflow is always the same and can be executed via the CLI: write, plan, apply. Remote plan is a major step towards enabling the core workflow from the CLI that is uniform across all of Terraform.

Securing secrets: With remote plan, access credentials and other secret values only need to exist on the machine executing Terraform. This eliminates the complexity of distributing and securing cloud access credentials to every Terraform user. Instead, each Terraform user only needs a Terraform Enterprise account and API key.

Non-public infrastructure access: Many companies use Terraform to automate providers that aren't publicly accessible, such as VMware vSphere installations. In this scenario, only Terraform Enterprise may have access to the vSphere API. Using remote plans, developer machines can still develop Terraform configurations without access directly to the underlying infrastructure control plane.

History, policy, approvals, and more: Terraform Enterprise provides a number of additional features that are automatically used with remote plans. Terraform Enterprise stores a history of executed plans, requires approval prior to apply, can execute policies to prevent non-compliant infrastructure change, and much more. This happens automatically by running terraform plan.

Apply

The apply step of the workflow currently still happens in the browser, having been triggered via the UI or the API. An upcoming version of Terraform will support remote terraform apply from the CLI as well.

Future

A preview release of remote plans is available for Terraform Enterprise users in Terraform 0.11.8. Remote applies will be supported in an upcoming Terraform release.

We have designed Terraform Enterprise to provide the best experience for teams collaborating on infrastructure, and we are continuously honing and improving that experience every day. We plan for the full core Terraform workflow to be the same across both open source and enterprise products. We're also introducing access to more enterprise functionality directly from the CLI in future releases.